How to manually backup MikroTik with the terminal step by step
A comprehensive guide to manually backing up MikroTik routers and restoring settings with the terminal.

How to manually backup MikroTik with the terminal step by step

  • 4 minute read
This guide will show you how to manually backup your MikroTik using the terminal step by step. You will learn about different methods for creating backups, exporting certificate files, and security tips.
Elahe
  • May 12, 2026
0 Shares
0
0
0
0
0
Shares
0
0
0
0
  1. How to back up MikroTik securely and reliably?
  2. Overview: Types of backups on MikroTik and important differences
  3. Prerequisites and security tips
  4. Taking a Manual Backup — Step by Step (Terminal)
    1. Connecting to the router
    2. Creating a binary backup (.backup)
    3. Getting text output (export .rsc)
  5. Export Certificate — Tips and Examples
  6. Download backup and certificate files to the management server or locally
  7. Restore — Methods and Tips
    1. Restore from .backup (binary) file
    2. Restore from export (.rsc)
    3. Import Certificate (.p12)
  8. Scheduling script for automatic backup and transfer to VPS/Storage
  9. Practical tips and best practices
  10. Quick checklist for backup and restore
  11. Issues related to cloud services and networking
  12. Common problems and their solutions
  13. Conclusion
  14. Frequently Asked Questions

How to back up MikroTik securely and reliably?

In this comprehensive, step-by-step guide, we'll show you how to: Manual backup From MikroTik routers using terminal (SSH/CLI), generate binary backup file (.backup), get editable text output (.rsc), export certificates to secure formats (e.g. PKCS#12/.p12 or PEM in supported versions) and then Transfer, secure storage and restore You will learn.

Overview: Types of backups on MikroTik and important differences

There are at least three common types of backup outputs in MikroTik:

  • Backup (.backup): Binary file that is created with the command /system backup save It is built. It is fast and comprehensive, but platform-dependent and may not be transferable between hardware or versions.
  • Export (.rsc): Text output (script) that /export file=… It is produced; editable and suitable for migration between devices.
  • CertificatesCertificates are usually in the following section: certificate are stored. For secure transfer, export them to PKCS#12 (.p12) to include the private key (with passphrase).

Prerequisites and security tips

Before you begin, make sure you have administrative access to the device (SSH or Winbox/WebFig). To transfer files from secure paths such as SCP/SFTP Or use HTTPS and avoid FTP without TLS.

Best practices include: Backup encryption, storing them offsite (e.g. S3-compatible storage or VPS in different locations) and planning for periodic restore testing.

Taking a Manual Backup — Step by Step (Terminal)

The basic steps to take a backup via CLI are as follows: Run the commands in the SSH terminal.

Connecting to the router

ssh [email protected]

Creating a binary backup (.backup)

/system backup save name=router-backup-2026-05-01
/file print

The created file usually has the extension . .backup appears (for example router-backup-2026-05-01.backup).

Getting text output (export .rsc)

/export file=full-config-2026-05-01
/export verbose file=full-config-2026-05-01

This text file (full-config-2026-05-01.rsc) can be opened with a text editor and the commands can be applied separately.

Export Certificate — Tips and Examples

First, check the list of certificates and then, if necessary, export them to PKCS#12 so that the private key is included.

/certificate print
/certificate export-certificate mycert passphrase="StrongP@ssw0rd" file-name=mycert-2026.p12

Download backup and certificate files to the management server or locally

After creating the files, use the following methods to retrieve them:

  • SCP From the Linux machine/management server:
    scp [email protected]:router-backup-2026-05-01.backup /backups/mikrotik/
scp [email protected]:mycert-2026.p12 /backups/secure-certs/
  • Winbox/WebFig: Use the Files section with Drag & Drop or the Download button.
  • Upload to cloud or VPS: The backup server receives files with SFTP/rsync. Example cron on the backup server:
    0 3 * * * scp [email protected]:router-backup-$(date +\%F).backup /srv/backups/mikrotik/
  • If you need to upload directly from the router and the router supports FTP-TLS or SFTP, use /tool fetch Use with upload=yes:
    /tool fetch address=ftp.example.com src-path=router-backup-2026-05-01.backup user=ftpuser password=ftppass upload=yes

Restore — Methods and Tips

There are two main methods for restoring: loading a binary backup and importing a text export.

Restore from .backup (binary) file

Upload the file to the Files folder with SCP or Winbox, and then:

/system backup load name=router-backup-2026-05-01.backup
/system reboot

Warning: Binary backups may not be compatible with different hardware or versions.

Restore from export (.rsc)

/import file-name=full-config-2026-05-01.rsc

This method is text-based and is more suitable for migrating between devices.

Import Certificate (.p12)

/certificate import file-name=mycert-2026.p12 passphrase="StrongP@ssw0rd"
/certificate print

After importing, reconfigure the services that use that certificate (IPsec, HTTPS, Hotspot, etc.).

Scheduling script for automatic backup and transfer to VPS/Storage

Example of a script in RouterOS for creating daily backups, exporting, and managing version maintenance:

/system script add name=auto-backup source={
  :local fname ("router-backup-" . [/system clock get date]);
  /system backup save name=$fname;
  /export file=("export-" . $fname);
}
  
/system scheduler add name=auto-backup-sched start-time=startup interval=1d on-event="/system script run auto-backup"

To transfer files from the router to the protected server, use a cron on the backup server:

0 4 * * * scp admin@router:router-backup-$(date +\%F).backup /srv/backups/mikrotik/

Practical tips and best practices

  • At least one copy off-site Keep (e.g. VPS or Object Storage in different locations).
  • Use export (.rsc) for migration to reduce hardware dependencies.
  • Files containing the private key with passphrase Use strong encryption.
  • Schedule periodic restore drills.
  • Enable versioning; at least 7 to 30 versions depending on risk.
  • Restrict access to backup files and maintain access logs.

Quick checklist for backup and restore

  • [ ] Creating a binary backup: /system backup save name=…
  • [ ] Preparing a text export: /export file=…
  • [ ] Export certificate with passphrase: /certificate export-certificate...
  • [ ] Download files with SCP/SFTP/Winbox
  • [ ] Offsite storage and encryption
  • [ ] import test: /import file-name=… and /system backup load name=…
  • [ ] Securely delete temporary files from the router after transfer

Issues related to cloud services and networking

To distribute backups and reduce RTO/RPO, it is recommended to use VPS or Object Storage across multiple locations. For sensitive environments, it is critical to use Anti-DDoS servers and storage encryption.

In cases of heavy processing such as Netflow or RPKI analysis, you can use powerful servers or GPUs.

Common problems and their solutions

  • Error loading .backup: Usually caused by architecture or version differences — use export (.rsc).
  • Certificate lost after restore: Make sure you import the p12 file and reconfigure the services.
  • Unable to transfer files with SCP: Check that SSH is enabled and that the firewall allows access.

Conclusion

Manually backing up MikroTik with the terminal, managing certificates, and restoring them is safe when you use appropriate methods (.backup for quick restore, .rsc for migration, and .p12 for certificates), secure transfer (SCP/SFTP), and offsite storage.

Performing periodic restore testing and adhering to security best practices ensures that you can act quickly and confidently in the face of an incident.

Frequently Asked Questions

In this article:
,,,
Post written by:
Follow
Previous Article
You May Also Like